On 05/17, Bardur Arantsson wrote:
> On 2014-05-17 22:08, Bardur Arantsson wrote:
>
> Hm. Rethinking this I was going to say something about listing (and
> screening) all the files that a package *would* install, but it seems
> that it's not possible to list files installed by a package before
> ins
May I remind everyone that makepkg is a bash script.
Some might argue it's bloated and too long, while others might counter
that the discussion is going on way too long already and forking a
bash script for personal use would generally be an option.
I'd be glad if the devs kept things "generally"
On 05/18, Oon-Ee Ng wrote:
> On Sun, May 18, 2014 at 12:57 AM, Bigby James
> wrote:
> > On 05/17, Dimitris Zervas wrote:
> >> On May 17, 2014 5:22:32 PM EEST, Roland Tapken wrote:
> >>
> >> BTW: Another good idea that would be helpful is add comments on installed
> >> packages on pacman. e.g. w
On 2014-05-17 15:49, Bardur Arantsson wrote:
On 2014-05-17 22:08, Bardur Arantsson wrote:
On 2014-05-17 21:50, Roland Tapken wrote:
Hi Bardur,
Even if your assumption about pacman is correct: Just let the
malicious
PKGBUILD write a file into /etc/cron.d/, /etc/systemd or something
like that
在 2014-5-18,4:49,Bardur Arantsson 写道:
> Hm. Rethinking this I was going to say something about listing (and
> screening) all the files that a package *would* install, but it seems
> that it's not possible to list files installed by a package before
> installing it...?
>
> (pacman -Ql only accept
On 17/05/14 03:12 PM, Bardur Arantsson wrote:
> On 2014-05-17 14:40, Roland Tapken wrote:
>> Hi,
>>
>> I'm using arch for about half a year on a few systems, but every time I
>> install something from aur I'm asking myself one question:
>>
>> Why is it considered dangerous to run makepkg as root?
On Sat, May 17, 2014 at 5:40 AM, Roland Tapken wrote:
> My first guess was that the PKGBUILD usually comes from an untrusted source
> and
> may contain code to attack my system (copy personal data or install a rootkit
> or something like that).
I think that the point isn't that you're not suppos
On 2014-05-17 22:55, ushi wrote:
> Am 17.05.2014 22:08, schrieb Bardur Arantsson:
>> On 2014-05-17 21:50, Roland Tapken wrote:
>>> Hi Bardur,
>>>
Maybe I've missed something reading through this thread, but *assuming*
(yeah, I know) that packages can't run arbitrary scripts at install tim
Am 17.05.2014 22:08, schrieb Bardur Arantsson:
> On 2014-05-17 21:50, Roland Tapken wrote:
>> Hi Bardur,
>>
>>> Maybe I've missed something reading through this thread, but *assuming*
>>> (yeah, I know) that packages can't run arbitrary scripts at install time
>>> (which I think is a valid assumpti
On 2014-05-17 22:08, Bardur Arantsson wrote:
> On 2014-05-17 21:50, Roland Tapken wrote:
>> Hi Bardur,
>>
>> Even if your assumption about pacman is correct: Just let the malicious
>> PKGBUILD write a file into /etc/cron.d/, /etc/systemd or something like that
>> and you're doomed. No need for pr
On 2014-05-17 21:50, Roland Tapken wrote:
> Hi Bardur,
>
>> Maybe I've missed something reading through this thread, but *assuming*
>> (yeah, I know) that packages can't run arbitrary scripts at install time
>> (which I think is a valid assumption for pacman),
>
> Is this so? I don't know since I
Hi Bardur,
> Maybe I've missed something reading through this thread, but *assuming*
> (yeah, I know) that packages can't run arbitrary scripts at install time
> (which I think is a valid assumption for pacman),
Is this so? I don't know since I've only scratched the surface of arch until
now. Bu
On 2014-05-17 14:40, Roland Tapken wrote:
> Hi,
>
> I'm using arch for about half a year on a few systems, but every time I
> install something from aur I'm asking myself one question:
>
> Why is it considered dangerous to run makepkg as root?
>
> My first guess was that the PKGBUILD usually co
On Sun, May 18, 2014 at 12:57 AM, Bigby James wrote:
> On 05/17, Dimitris Zervas wrote:
>> On May 17, 2014 5:22:32 PM EEST, Roland Tapken wrote:
>>
>> BTW: Another good idea that would be helpful is add comments on installed
>> packages on pacman. e.g. why did you install them. But that's anothe
On Sat, May 17, 2014 at 03:49:49PM +0300, Dimitris Zervas wrote:
>
>
> >The second idea is that this advice should prevent the script from
> >*accidentally* damage my system. But this could be prevented by using
> >fakeroot
> >(which is disabled when calling makepkg with --asroot according to
On 05/17, Dimitris Zervas wrote:
> On May 17, 2014 5:22:32 PM EEST, Roland Tapken wrote:
>
> BTW: Another good idea that would be helpful is add comments on installed
> packages on pacman. e.g. why did you install them. But that's another thread
>
No offense, but if you need to ask yourself why
Hi,
> I would really like to help patching, but my time is extremely limited
> (finals in 2 weeks).
>
> Good luck! :)
I'll think I'll have a try, also my time is very limited, too :-)
Regards,
Roland
signature.asc
Description: This is a digitally signed message part.
On May 17, 2014 5:22:32 PM EEST, Roland Tapken wrote:
>Hi,
>
>> A good idea is to automatically change to a much more restricted
>user, used
>> just for building (no shells, logins, etc.).
>
>What do you think about patching yaourt to that it, if executed as
>root, runs
>makepkg as a special use
Hi,
> A good idea is to automatically change to a much more restricted user, used
> just for building (no shells, logins, etc.).
What do you think about patching yaourt to that it, if executed as root, runs
makepkg as a special user? Or changing makepkg to drop it's own privileges if
executed
On Sat, May 17, 2014 at 2:40 PM, Roland Tapken wrote:
> Hi,
>
> I'm using arch for about half a year on a few systems, but every time I
> install something from aur I'm asking myself one question:
>
> Why is it considered dangerous to run makepkg as root?
>
> My first guess was that the PKGBUILD u
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 17.05.2014 14:40, schrieb Roland Tapken:
> Hi,
>
> I'm using arch for about half a year on a few systems, but every
> time I install something from aur I'm asking myself one question:
>
> Why is it considered dangerous to run makepkg as root?
>
>
>The second idea is that this advice should prevent the script from
>*accidentally* damage my system. But this could be prevented by using
>fakeroot
>(which is disabled when calling makepkg with --asroot according to the
>
>manpage) or chroot. And actually the proper advice in this case should
Hi,
I'm using arch for about half a year on a few systems, but every time I
install something from aur I'm asking myself one question:
Why is it considered dangerous to run makepkg as root?
My first guess was that the PKGBUILD usually comes from an untrusted source and
may contain code to atta
23 matches
Mail list logo
